Modern communication networks enable a user direct, “digital” use of a myriad of business and entertainment services at physical arm's length. The services enable such everyday tasks as checking bank accounts, making investments, purchasing goods, video conferencing, playing games, and participating in virtual worlds without a necessity of being present at any particular physical venue of the services.
To be commercially acceptable and viable, many of the services require authentication of their users to protect the users and/or the services from inappropriate use that may damage the users and/or the services. For example, online banking would not be commercially functional without stringent authentication procedures, and cloud based services, such as cloud data storage and computing, would not be useable without authentication procedures for safeguarding data integrity and confidentiality. Since physical presence is generally not a requirement, nor generally available or advisable for access to the services, once conventional face to face authentication of a user, has been replaced by various arms length, computer mediated procedures for authenticating a user's identity.
Typically, an authentication procedure requires presentation of a password. And almost everyone is familiar with the nuisance of remembering and using one of generally many assigned or personally generated passwords to authenticate himself or herself for access to such everyday services and devices, such as an automatic teller machine (ATM), or even his or her own laptop or tablet. Such passwords, referred to as static passwords, are not only difficult to manage and remember but are also relatively easily stolen or disclosed.
Many recent authentication procedures have adopted use of one-time passwords (OTPs) for authenticating a user to a service to which the user is subscribed. An OTP is a temporary password that is intended to be used only once to authenticate access of the user to the service, and once used, to be replaced by another OTP. To provide the user with repeated access to the service the user may be issued a device, conventionally referred to as a “token” or “OTP token, that generates and displays a sequence of OTPs for the user, each of which the user may present to the service for a one time authentication and access to the service. The token comprises a unique, secret digital key, hereinafter also referred to as an encryption key, or secret key, and uses an encryption algorithm to compute each OTP in the sequence as a function of the secret key, and generally a time at which the OTP is computed or a count of a number of times the user has accessed the service. Time may be provided by a clock comprised in the token and a count may be registered by a counter in the token.
For a token that computes OTPs as a function of the secret key and time or a count, the clock or counter in the token is synchronized with a clock or counter respectively in an authentication server that operates to authenticate requests for access to the service. The authentication server comprises or has access to an authentication database comprising a list of users subscribed to the service and the secret keys associated with their respective tokens. Hereinafter, a secret key associated with a user's OTP token may also be referred to as the user's secret key or secret OTP key. When a user desires access to the service, the user contacts the service using any suitable communication device such as for example a computer, laptop, tablet, or smartphone to submit a request for access to the service. To be authenticated and have the request granted, the user uses the communication device to submit an OTP provided by the user's OTP token, and usually a user ID or PIN, to the service. Upon receipt of the user's ID and OTP, the authentication server locates the user's secret key in the authentication database and generates a test OTP using the located secret key, the encryption algorithm used by the user's token to generate OTPs, and a time or count at which presumably the user token generated the submitted OTP. If the submitted OTP and the test OTP are the same, the user is authenticated and permitted access to the service.
Whereas authentication systems using OTPs provide convenient and improved security relative to authentication systems based on static passwords, the systems may be breached and the security they provide compromised if the authentication database is hacked and the list of users and associated secret keys stolen.